How to let normal users shut down the computer in Linux
是的,这还是一篇转载的文件。虽然是英文,但是很浅显易懂,希望不懂的新手最好不要跳过去,认真看一下。
linux下的普通用户关机是一个在各种linux讨论群老生长谈的问题。主要原因是,大家不理解账户和用户的概念。不理解曾经的分时操作系统概念,没经历过多用户排队使用打卡计算机的时代,是不太容易理解多账户的概念的。
本文提到的关机命令相当的优雅。所谓优雅就是相对简单粗暴的Reboot 、init 0、shutdown - h -0等等而言的。^_*
Ubuntu的桌面环境下poweroff 实际上是一个符号链接,还是调用的 systemd 而 systemd 是借助 polkit 实现的非 root 关机。
闲话少叙。
引用地址在:(refer to)http://www.spencerstirling.com/computergeek/shutdown.html
Spencer Stirling
This may seem like a stupid issue - why SHOULDN’T the average userbe able to turn off his/her own machine?
The answer is that Linux is inherently designed as a multiusersystem. It would generally be a bad thing if any one user would beallowed to spontaneously turn off the computer while other usersare working. Just imagine what hell would ensue if your webserverwere taken down by some insignificant user halfway across theworld.
Of course, it does seem a little overprotective if the user isphysically sitting at the machine, since he/she could justreach over and hit the power button (don’t do that!!!).
There are several schools of thought concerning how to allowa user to shut down a machine properly. The first method seemssomewhat useless to me, but I put it here for completeness.
shutdown.allow
There is a file in /etc called shutdown.allow (and ifthere isn’t, root can add it). This file contains a list ofusers (1 per line) who are allowed to shutdown the computer.
This doesn’t mean that these users can invoke theshutdown (or reboot or halt) command(s).Instead, it means that an authorized user can shut downthe computer by pressing ctrl+alt+del.
In order for this to occur, the ctrl+alt+del key sequencemust be trapped in the /etc/inittab file. The necessary linein inittab is
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
When ctrl+alt+del is pressed, init checks if there is anauthorized user (listed in /etc/shutdown.allow) logged into any virtual console,and proceeds to shutdown if this is true.
Of course, if I’m running X windows, then generally the window manager will trap ctrl+alt+del for itself, so this won’t work anymore.
sudo
The program sudo allows normal users to execute certain root-onlycommands. Which users are authorized to run which commands is specifiedin the /etc/sudoers file. This should only be edited with the commandvisudo.
For example, suppose I wanted to add a group of users who are allowedto shut down the machine. So I first want to add a group called “shutdown”(run these commands while root)
groupadd shutdown
Then I need to edit the /etc/group file to add users to the "shutdown"group. I just tack the usernames at the end of the shutdown line, separatedby commas, e.g.
shutdown❌407:user1,user2,…
Whatever users I put there will be able to shut down the computer (sochoose wisely). Now I need to configure sudo to allow members of the “shutdown” group to actually invoke the assorted shutdown commands provided in linux. Run visudo and add the following lines
%shutdown ALL=(root) NOPASSWD: /sbin/reboot
%shutdown ALL=(root) NOPASSWD: /sbin/halt
%shutdown ALL=(root) NOPASSWD: /sbin/shutdown
This allows the “shutdown” group to run /sbin/reboot,/sbin/halt, and /sbin/shutdown AS IF THEY WERE ROOT. The onlycaveat is that the users must run the commands with the commandsudo in front, e.g.
sudo /sbin/halt
This is always a bit of a pain (and users never remember), soI can create the following script called “/usr/bin/reboot” (and similarscripts for halt and shutdown)
#! /bin/sh
sudo /sbin/reboot $*
Remember to make these scripts executable! To make this slightlymore secure, I might want to change the ownership of these scripts tothe “shutdown” group
chgrp shutdown /usr/bin/reboot /usr/bin/halt /usr/bin/shutdown
and then make them executable only for the group “shutdown”
chmod g+x /usr/bin/reboot /usr/bin/halt /usr/bin/shutdown
KDE shutdown
If you are running kdm (the kde display manager - e.g. graphicallogin) then the shutdown behavior can be modified in “Control Panel” (in"Administrator Mode" of course). If you are starting KDE manually (using startx or startkde) thenyou will have to resort to the previous “sudo” solution (and probablyadd a shortcut on the desktop to one of those scripts).
XFCE4 shutdown
If you are using xfce4 then you will need to configure a fewitems in order to use the built-in “Reboot computer”/"Turn off computer"options available when you are logging out.
CHANGE - SEE BELOW FOR XFCE 4.2
XFCE 4.0
First, all users who are allowed to shut down the machine fromxfce4 must be listed in the /etc/xfce4/shutdown.allow file(syntax is just like in the /etc/shutdown.allow file - see above).Second, the file permissions on the xfce4-shutdown program mustbe modified. This file is usually in /usr/sbin/xfce4-shutdown, so Iwould type
chmod u+s /usr/sbin/xfce4-shutdown
the “u+s” argument means that the command xfce4-shutdown will runas though the owner (probably root) initiated it, regardless of which useractually called the program.
This should be enough to shut down the computer from xfce4.
Instructions for XFCE 4.2The game has changed for xfce 4.2. Now you must instead allow sudo accessto a program called /usr/sbin/xfsm-shutdown-helper (note: this may also be located in /usr/local/libexec/ - just use the “locate” command to findxfsm-shutdown-helper).
Using the same kind of ideas presented above in the sudo method of shutdown, I add the followingline to /etc/sudoers file (using visudo)
%shutdown ALL=(root) NOPASSWD: /usr/sbin/xfsm-shutdown-helper
This allows the “shutdown” group to shutdown the machine.
This page has been visited times since January 13, 2005
————————————————————————————————end————————————————————————————————
回到文头,简单粗暴的解决办法是:
chmod 700 /sbin/shutdown
实际上这个问题其实毫无意义,对于桌面系统而言,面向的使用者都是在物理接触机器的前提下进行的,实际上任何使用者都能关掉电源达到关机的作用。
一直以来“Linux 普通用户不能关机”作为初学者就需要知道的常识而广为人知,关于这点引用一下 USTC LUG前会长尘光的观点:
关键字:“帐号”和“用户”的区别。关机操作是可以由用户进行,而不是帐号进行的。
因此本质上这跟桌面系统还是服务器系统也没有关系。
服务器上不允许普通帐号关机,并不是为了保证帐号之间互不干扰,而是一种额外的保护机制。
* 对于一般情况下物理接触使用的终端,“限制只能由root帐号关机”是一个没有意义的限制
* 对于一般情况下非物理接触使用的主机,“限制只能有root帐号关机”是一个有意义的限制和保护措施
这跟操作系统无关!!!
根据 ArchWiki ,普通用户可以通过 sysctl 不使用 sudo 进行重启和关机。
systemctl poweroffsystemctl reboot
systemctl poweroff
systemctl reboot
除了上述的 sysctl,ArchWiki 还提到了合理使用 sudo 命令和 alias,使得普通用户能直接使用命令关机(使用 sudo 指定命令免密码, alias 替换关机命令),简直就是神来之笔,太特么聪明了。
alias reboot="sudo systemctl reboot"alias poweroff="sudo systemctl poweroff"alias halt=“sudo systemctl halt”
alias reboot=“sudo systemctl reboot”
alias poweroff=“sudo systemctl poweroff”
alias halt=“sudo systemctl halt”
user hostname =NOPASSWD: /usr/bin/systemctl poweroff,/usr/bin/systemctl halt,/usr/bin/systemctl reboot
除了 systemd 之外,这应该也是比较优雅的解决方案。
另外还搜到了一个比较有意思的东西:http://www.spencerstirling.com/computergeek/shutdown.html
在/etc/目录下建立一个 shutdown.allow 文件,和/etc/inittab 协同工作,在/etc/shutdown.allow文件里写的用户名可以使用 Ctrl+Alt+Del 组合键关机。(但是目前的几大主流发行版都没有了 inittab ,仅供参考吧)